Signatureless attack detection is becoming the hot topic in threat prevention. Client side security vulnerabilities are often found in zero day exploits in the wild, meaning that signature based intrusion detection and prevention systems are not likely to catch these attacks. Signatureless detection systems are designed to detect these kinds of attacks and they do provide some additional layer of security. One of the techniques deployed by signatureless is called sandboxing. In sandboxing , the signatureless attack detection systems executes files that are being transferred in networks in sandbox. They carefully instrument the execution and based on that determine if the file was malicious. We have analyzed signatureless detection and particularly the sandboxing technique, and we have and found several issues in the concept. We have also found ways to completely evade sandboxing. We have taken some peeks into one of the market leading sandboxing product and will discuss about our findings. In this presentation we will highlight the problems we have identified in signatureless attack detection and sandboxing, and present our findings regarding one of the market leading product. The attendees will better understands limits of these systems. Even though they do provide additional layer of security, there are issues one should know.
Olli-Pekka Niemi has been working in Internet security since 1996. He has experience in offensive security as a Penetration Tester and in defensive security as a System Administrator. Since December 2000, he has been working for Stonesoft R&D, developing Intrusion Prevention Systems and Next Generation Firewalls. His main R&D interests are analyzing network-based threats and evasion research. Mr. Niemi is the founder and head of the Stonesoft Vulnerability Analysis Group (VAG). He is also the Chief Research Officer of Stonesoft. Mr. Niemi has given presentations at various security conferences such as T2, DeepSec, Positive Hack Days, and SIGCOMM.
Antti Levomäki has been working since 2004 at R&D of Finnish Cyber Security Company Stonesoft. For the last five years he has focused on researching evasion techniques against network security products and writing testing tools. Previous duties include writing attack and application signatures for Stonesoft network security products. Mr. Levomäki holds a Master Of Computer Science degree from the University of Helsinki and is currently pursuing a PhD at the Aalto University.